US11283790B2ActiveUtilityA1

Agentless identity-based network switching

42
Assignee: IP TECH LABS LLCPriority: Jun 19, 2019Filed: Jun 18, 2020Granted: Mar 22, 2022
Est. expiryJun 19, 2039(~12.9 yrs left)· nominal 20-yr term from priority
H04L 9/006H04L 63/18H04L 9/3263H04L 63/0823H04L 63/10
42
PatentIndex Score
0
Cited by
17
References
16
Claims

Abstract

The invention described herein is that of systems and methods for agentless identity-based authentication of network-enabled devices for control of network traffic to and from each device based on identity. The invention leverages X.509 certificates associated with network devices and comprises at least one querying device in communication with at least target device and optionally at least one intermediate device, such as but not limited to a switching device that can interface with the target device and enable the querying device to query the target device to obtain an X.509 certificate and any extensions, then dictate switching actions, which may be carried out by the querying device according to instructions provided by a switching module residing on the querying device or located external to the querying device. The systems and methods described herein are suitable for validation of the identities of fixed application devices to prevent unauthorized network access.

Claims

exact text as granted — not AI-modified
The invention claimed is: 
     
       1. A system for agentless identity-based network switching of data traffic among network-enabled devices, the system comprising:
 a querying device in network communication with a target device, wherein the target device comprises an X.509 certificate identifying the target device; and 
 a query module, an analysis module and a switching module, each tangibly stored on a non-transitory computer readable medium; wherein 
 the query module comprises instructions which when executed by a processor cause the processor to establish a first data path between the querying device and the target device and obtain the X.509 certificate; 
 the analysis module comprises instructions which when executed by a processor cause the processor to: 
 parse the X.509 certificate into individual information elements; 
 compare the individual information elements to a set of reference information elements; 
 generate an analytical output comprising a validated identity of the target device based on comparison of the individual information elements to the reference information elements; and 
 transmit the analytical output to the switching module; and 
 the switching module comprises instructions which when executed by a processor cause the processor to execute a switching action on the data traffic received by the querying device from the target device over the first data path based on the analytical output; 
 wherein the switching action is selected from the group consisting of blocking the target device's access to a network, permitting the target device's access to the network, limiting the target device's access to the network or diverting the target device's access away from the network, local physical switching, logical switching, application of firewall rules, remote logical signaling, and configuring the target device's access to the network. 
 
     
     
       2. The system of  claim 1 , wherein the switching action is executed from within the querying device. 
     
     
       3. The system of  claim 1 , wherein the target device is a fixed application device. 
     
     
       4. The system of  claim 3 , wherein the target device is selected from the group consisting of cameras, printers, access controllers, alarms, paging systems, locking systems, safe deposit boxes, cash management systems, automatic teller machines and card readers. 
     
     
       5. The system of  claim 1 , further comprising an intermediate device in network communication with the querying device, target device, query module, analysis module and switching module, the intermediate device comprising at least one switch interface and a management control interface, wherein:
 the query module further comprises instructions which when executed by a processor cause the processor to establish a second data path between the querying device and the target device through the intermediate device and obtain the X.509 certificate; and 
 the switching module further comprises instructions which when executed by a processor cause the processor to: 
 establish a logical interface between the switching module and the management control interface; and 
 execute a switching action on the data traffic received by the querying device from the target device over the logical interface based on the analytical output; 
 wherein the switching action is selected from the group consisting of blocking the target device's access to a network, permitting the target device's access to the network, limiting the target device's access to the network or diverting the target device's access away from the network, local physical switching, logical switching, application of firewall rules, remote logical signaling, and configuring the target device's access to the network. 
 
     
     
       6. The system of  claim 5 , wherein the switching action is executed from within the intermediate device. 
     
     
       7. The system of  claim 5 , wherein the target device is a fixed application device. 
     
     
       8. The system of  claim 5 , wherein the target device is selected from the group consisting of cameras, printers, access controllers, alarms, paging systems, locking systems, safe deposit boxes, cash management systems, automatic teller machines and card readers. 
     
     
       9. A method for agentless identity-based network switching of data traffic between network-enabled devices, the method comprising:
 initiating from a querying device a request for an X.509 certificate from a target device in network communication with the querying device; 
 establishing via a processor a first data path between the querying device and the target device and requests and obtains the X.509 certificate in response to instructions communicated to the processor from a query module tangibly stored on a non-transitory computer readable medium; 
 parsing the X.509 certificate in response to instructions communicated to the processor from an analysis module tangibly stored on a non-transitory computer readable medium into individual information elements and compares the individual information elements to a set of reference information elements to generate an analytical output comprising a validated identity of the target device based on comparison of the individual information elements to the reference information elements; 
 transmitting the analytical output to a switching module tangibly stored on a non-transitory computer readable medium; and 
 executing a switching action in response to instructions communicated to the processor from the switching module on data traffic received by the querying device from the target device over the first data path based on the analytical output; 
 wherein the switching action is selected from the group consisting of blocking the target device's access to a network, permitting the target device's access to the network, limiting the target device's access to the network or diverting the target device's access away from the network, local physical switching, logical switching, application of firewall rules, remote logical signaling, and configuring the target device's access to the network. 
 
     
     
       10. The method of  claim 9 , wherein the reference set of information elements is selected from Public Key Infrastructure (PKI) elements or a reference set of information elements intrinsic to the analysis module. 
     
     
       11. The method of  claim 9 , wherein the target device is a fixed application device. 
     
     
       12. The method of  claim 9 , wherein the target device is selected from the group consisting of cameras, printers, access controllers, alarms, paging systems, locking systems, safe deposit boxes, cash management systems, automatic teller machines and card readers. 
     
     
       13. The method of  claim 9 , the method further comprising:
 establishing via a processor a second data path between the querying device and the target device through an intermediate device in response to instructions communicated from the query module; 
 transmitting the analytical output to a switching module tangibly stored on a non-transitory computer readable medium; 
 establishing a logical interface between the switching module and a management control interface of the intermediate device; and 
 executing via the intermediate device the switching action in response to instructions communicated to the processor from the switching module on data traffic received by the querying device from the target device over the second data path based on the analytical output; 
 wherein the switching action is selected from the group consisting of blocking the target device's access to a network, permitting the target device's access to the network, limiting the target device's access to the network or diverting the target device's access away from the network, local physical switching, logical switching, application of firewall rules, remote logical signaling, and configuring the target device's access to the network. 
 
     
     
       14. The method of  claim 9 , wherein the reference set of information elements is selected from Public Key Infrastructure (PKI) elements or a reference set of information elements intrinsic to the analysis module. 
     
     
       15. The method of  claim 9 , wherein the target device is a fixed application device. 
     
     
       16. The method of  claim 9 , wherein the target device is selected from the group consisting of cameras, printers, access controllers, alarms, paging systems, locking systems, safe deposit boxes, cash management systems, automatic teller machines and card readers.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.